<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>U-Boot Project - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/u-boot-project/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 08 Jul 2026 17:19:10 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/u-boot-project/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-29009 - U-Boot Buffer Overflow in nfs_readlink_reply()</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2026-29009-u-boot-buffer-overflow/</link><pubDate>Wed, 08 Jul 2026 17:19:10 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2026-29009-u-boot-buffer-overflow/</guid><description>A buffer overflow vulnerability exists in the nfs_readlink_reply() function of U-Boot versions up to 2026.04-rc3 when CONFIG_CMD_NFS is enabled, allowing a malicious or compromised NFS server to exploit it by sending multiple relative symlink targets, each approximately 1100 bytes long, to overflow the 2048-byte nfs_path_buff, corrupting adjacent BSS variables and potentially leading to memory corruption and control over the NFS client's state machine.</description><content:encoded><![CDATA[<p>U-Boot through 2026.04-rc3 contains a severe buffer overflow vulnerability (CVE-2026-29009) residing within the <code>nfs_readlink_reply()</code> function in <code>net/nfs-common.c</code>. This flaw is exploitable when <code>CONFIG_CMD_NFS</code> is enabled, a common configuration for devices that boot over a network. A malicious or compromised NFS server can exploit this by crafting a sequence of two or more READLINK responses. Each response must contain a relative symlink target approximately 1100 bytes long. When these are appended by the vulnerable U-Boot client without proper cumulative length validation, the 2048-byte <code>nfs_path_buff</code> buffer overflows. This leads to the corruption of adjacent BSS variables, including critical network configuration data like <code>nfs_server_ip</code>, <code>nfs_server_mount_port</code>, <code>nfs_server_port</code>, <code>nfs_our_port</code>, <code>nfs_state</code>, and <code>rpc_id</code>. The consequence is memory corruption and the potential for an attacker to gain control over the U-Boot NFS client's state machine, enabling further compromise of the embedded device or system.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker compromises or gains control of an NFS server.</li>
<li>A vulnerable U-Boot client, with <code>CONFIG_CMD_NFS</code> enabled, attempts to perform an NFS operation (e.g., read a symlink) from the attacker-controlled NFS server during its boot process.</li>
<li>The attacker's NFS server sends the first READLINK response to the U-Boot client. This response contains a crafted relative symlink target of approximately 1100 bytes.</li>
<li>The U-Boot client's <code>nfs_readlink_reply()</code> function processes this response and appends the symlink target to its internal <code>nfs_path_buff</code> buffer, which has a capacity of 2048 bytes.</li>
<li>The attacker's NFS server then sends a second READLINK response, also containing a relative symlink target of approximately 1100 bytes.</li>
<li>The <code>nfs_readlink_reply()</code> function attempts to append this second symlink target to <code>nfs_path_buff</code> without validating the cumulative length of the appended data.</li>
<li>This second append causes the <code>nfs_path_buff</code> buffer to overflow, corrupting adjacent BSS variables in memory, such as <code>nfs_server_ip</code>, <code>nfs_state</code>, and <code>rpc_id</code>.</li>
<li>The memory corruption provides the attacker with potential control over the U-Boot NFS client's state machine, allowing for manipulation of the boot process or further arbitrary actions.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-29009 can lead to severe memory corruption within the U-Boot environment. Attackers can corrupt critical BSS variables, including network configuration parameters and the internal state of the NFS client. This grants the attacker control over the U-Boot NFS client state machine, potentially allowing them to manipulate the boot process, redirect network traffic, or execute arbitrary code during the initial boot stages. While no specific victim counts or industry sectors are identified in the disclosure, any embedded system or device utilizing U-Boot with NFS boot capabilities enabled is at risk, potentially leading to full device compromise before the main operating system even loads.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-29009 on all affected U-Boot installations immediately.</li>
<li>Review and disable the <code>CONFIG_CMD_NFS</code> option in U-Boot builds if NFS boot functionality is not strictly required.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>buffer-overflow</category><category>vulnerability</category><category>firmware</category><category>nfs</category><category>u-boot</category></item><item><title>CVE-2026-29008: U-Boot Integer Underflow Leads to Bootloader Crash</title><link>https://feed.craftedsignal.io/briefs/2026-07-u-boot-cve-2026-29008/</link><pubDate>Wed, 08 Jul 2026 17:18:19 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-u-boot-cve-2026-29008/</guid><description>An integer underflow vulnerability (CVE-2026-29008) in U-Boot's `tcp_rx_state_machine()` function allows a network-adjacent attacker to crash the bootloader by sending a crafted TCP SYN+ACK packet, potentially preventing device boot and leading to memory corruption.</description><content:encoded><![CDATA[<p>U-Boot versions up to and including 2026.04-rc3 are susceptible to an integer underflow vulnerability (CVE-2026-29008) within the <code>tcp_rx_state_machine()</code> function, located in <code>net/tcp.c</code>. This flaw enables a network-adjacent attacker to trigger a bootloader crash, thereby preventing the device from booting. The attack involves sending a specially crafted TCP SYN+ACK packet where the data offset field is manipulated. This manipulation causes the <code>payload_len</code> variable to become negative. Subsequently, this negative value is implicitly converted into a large unsigned integer when passed to <code>memcpy()</code> within the <code>store_block()</code> function, leading to an excessive memory copy operation and an immediate system crash. If <code>CONFIG_LMB</code> is disabled, this could also result in memory corruption. This vulnerability poses a significant denial-of-service risk for embedded systems utilizing affected U-Boot versions.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker gains network adjacency to a vulnerable device running U-Boot.</li>
<li>The attacker crafts a malicious TCP SYN+ACK packet.</li>
<li>The data offset field within the crafted TCP SYN+ACK packet is manipulated to an invalid value.</li>
<li>The vulnerable U-Boot bootloader receives the malformed TCP SYN+ACK packet in its <code>tcp_rx_state_machine()</code> function.</li>
<li>During processing, the manipulated data offset causes the <code>payload_len</code> variable to become a negative integer.</li>
<li>The <code>TCP_SYN_SENT</code> handler calls <code>tcp_rx_user_data()</code> without proper <code>tcp_seg_in_wnd()</code> validation for the malformed packet.</li>
<li>The negative <code>payload_len</code> is implicitly converted to a very large unsigned integer, which is then passed to <code>memcpy()</code> in <code>store_block()</code>.</li>
<li>The <code>memcpy()</code> operation attempts to copy an excessively large amount of data, resulting in an immediate bootloader crash and device failure to boot, with potential memory corruption if <code>CONFIG_LMB</code> is disabled.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of CVE-2026-29008 leads to a denial of service (DoS) by causing the affected U-Boot bootloader to crash. This prevents the device from successfully booting, rendering it inoperable until manual intervention or a power cycle. The vulnerability has a CVSS v3.1 base score of 7.5, indicating a high severity. Furthermore, if the <code>CONFIG_LMB</code> option is disabled, the arbitrary large <code>memcpy()</code> operation could result in memory corruption, potentially leading to further compromise beyond a mere crash, though direct code execution is not explicitly detailed. This impacts embedded devices and systems that rely on U-Boot for their boot process.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately patch U-Boot to a version beyond 2026.04-rc3 to remediate CVE-2026-29008.</li>
<li>Implement network intrusion detection/prevention systems (IDS/IPS) to block malformed TCP SYN+ACK packets, particularly those with anomalous data offset values associated with CVE-2026-29008 exploitation attempts.</li>
<li>Review network firewall rules to ensure only legitimate and properly formed network traffic reaches critical embedded devices running U-Boot.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>denial-of-service</category><category>vulnerability</category><category>bootloader</category><category>network</category><category>embedded-systems</category></item></channel></rss>